Assuming you have/can get the full card number, call the issuing bank to confirm the card was issued to the name/address you have.
Once you've confirmed that the card used does in fact belong to the person at the ship to: address, give a courtesy call to the customer to verify the order. You need to be certain that this person actually is the one who placed the order. This can be done without raising any alarms-just verify an inane part of the order-color, size, etc.
If you don't have a phone number-your job is harder.
I disagree about calling to verify the order if everything matches.
Mr. Goldfarb did you purchase this silver rolex?
Yes, I did.
Are you now, or have you ever been, a fraudster?
Whats you address?
13 Crotchety Pike
It matches, thanks for your time. And enjoy your new watch.
If you called the fraudster would they admit it, I doubt it. Actually they tend to be quite charming and polite.
The card and billing address must match and you need to have a record of it matching, second best is calling the bank if you have to (they dont give out information or phone numbers, you just give info. and they say match or no match, nothing else). The fact that the billing and shipping address match or not is irrelevant, if the billing address matches things can safely be shipped anywhere (if you get a signature that is). Getting the number from the customer to the bank can imply fraud to the customer which some people dont like.
It sounds good to call in theory, but in reality it often raises red flags in the mind of a legit customer. Especially dont discuss the order with anyone else over the phone (ie relatives, the estranged wife). Calling to verify information anonymously is fine.
One of the best rules of sales is the KISS rule (keep it simple stupid).
1) Verify the credit card billing address matches the shipping address. (Completely, not just zip)
2) Verify the IP address is within the US
3) Ship with signature required by UPS / Fedex
4) We also make a quick call to the customer. I thank them for the order and tell them I've been assigned as his "account rep" and if he has any questions he can call me directly.
ispy like that KISS rule what we go by but I never named it but now I have a name.
I agree with ispy leave the customer alone (scammers are good at wat they do)but verify the card.
Now remember sometimes the card will not match when you do the automated service on checking. They could have moved so if the card does not match call the issuing bank. This can be obtained from your merchant services.
Get a human on the phone give them the information and verify the address and phone number. If say the address does not match have the bank call the owner of the card and let them talk to the owner. This keeps you out of the loop and you won't make a bad decision by a sweet talking crook. banks know what information to ask to verify the account you don't have access to.
I made a 5k mistake myself about 5 years ago let Greed take over...
The bank will call you bank with an answer.
[edited by: bwnbwn at 8:10 pm (utc) on Oct. 30, 2007]
|It sounds good to call in theory, but in reality it often raises red flags in the mind of a legit customer. |
Not always. On the customer side I've gotten several verification calls for large ticket orders. Maybe it's because I know all the hassles you ecommerce folks go through that I don't mind, but if nothing else it can save a bit of agita on both sides down the line.
I don't know if you can still do this or not. Years ago once you had verified all the other details you could call the bank and reserve the dollar amount in
or on his credit line. That way your claim was in before any other in coming claims for the money.
Today with everything being electronically handled this might not be applicable anymore...KF
jimbeetle actually I have called many card owners when information matches but they are shipping to another address.
BTW been burned with this one to the crook had it all.
So the way I approach this is I call the customer tell them who I am a charge has been placed on our website and just wanted to make sure you knew this was being done.
I have yet had anyone get upset with me and fact is most are thankful I would take the time to let them know.
I have as well been burned by kids using the parents card and then the parents saying they used it without their permission....
You got that right What us ecommerce guys go through is sometimes crazy why we keep doing it....
BTW Tonearm congratulations on your big sale let us know how it pans out ok....
Got an order for $85,000 once I requested a wire transfer for half the order and then shipped half and the other half before final shipping.
client was British army though. in Kuwait. so you see, a large order does not immediately mean being illegitimate.
I tell such customers that I require a signature confirmation on large orders. If they say they don't need that, I say I need it for my credit card processor. If they won't do it, I void the order.
I did end up offending some company once that placed a huge order for all the same item, which is a huge red flag in my experience. I called and asked for the name of the issuing bank and the customer service phone number from the back of the card (this was before many people were using the cvv). One person I communicated with there got mad and wanted to cancel the order. They still bought the stuff, but after that I never called a customer about a charge again. I just void it if I don't feel right about it.
Legitimate customers are not bothered by a call. For an order within the US, it's usually possible to verify who a phone number belongs to- I generally use switchboard-dot-com (no affiliation), to avoid speaking with a fraudster.
It's highly unlikely that a fraudster would be shipping an item to the actual cardholders billing address and answering their phone.
If you have verified the billing/shipping (same) address for the card used, you SHOULD be safe shipping to that address. If for some reason phone confirmation is not possible, do not provide the tracking number, as a fraudster may use it to redirect the package.
ispy- The hypothetical exchange you composed between a merchant and possible customer is funny-but probably not exactly how a smart merchant would go about it.
|Legitimate customers are not bothered by a call. |
Totally agree. In fact a legit customer who bought so much may add to the order when you phone and show concern. Happens about 10% of the time.
Make up some reason for calling, such as to go over the delivery timeframe. Don't ID yourself as the boss but rather an underling. That way another employee can call later if need be and patch up "a misunderstanding."
Don't assume scammers are sophisticated. 98% are transparent dimwits. Criminal masterminds exist mainly in popular lore.
Use Zillow and other real estate sites to check out the "ship to"
Try searching for the customers's info in seach engines e.g.
1. e-mail address - if you can find their e-mail address, it is a good sign. Fraudsters are unlikely to use throwaway e-mail addresses for posing in forums, blogs or for their business.
2. Their tel no. Google will show up if the address matches.
3. Their address - sometimes, it may throw some interesting information about the occupants.
4. Their names - you may be able to find some other information about this person.
5. You should probably call anyway, at least to check that the tel no. is genuine and that the person exists.
I found that the most important indicator for fraud is the e-mail. If it looks normal and matches the person's name, then it should be OK. If the e-mail account belongs to the company, you should check the company's website. You could ring up the company and ask to speak to the employee directly.
You can trust me on this because I have shipped tens of thousands of orders to more than 150 countries. We do carry some highly resellerable items such as flash memory cards. Yet our fraud rate is now almost 0, we achived this record after learning lots of terrible lessons.
We have has this exact same occurrence just this week - unexpected large orders. All but one turned out to be 100% legitimate in spite of the presence of "red flags".
Our cart does AVS and CVV2, and additionally requests the phone number of the issuing bank. We don't "say" the phone number is optional, but it is. Also, we don't reject an order based on a CVV2 mismatch, because many customer don't get it right, or the numbers are rubbed off.
However, we have several "red flags," with varying levels of importance:
- AVS mismatch, address and zip - mild (people move)
- CVV2 mismatch, bears closer investigation
- Billing /shipping same or no?
- Bank phone provided, and is it the issuing bank?
- Shipping by Express Mail?
What's important are several of these in combination. When we get a large order and any three of these are present, we begin looking. derekwong's suggestion is a good one - for the U.S., if the person's in the white pages and their address matches the order, it begins to look OK.
We got our first "legitimate" fraud the other day. Large order, Global Express (more than the order,) Billing New Jersey, Shipping South Africa, all phony phone numbers - gee I'd have never caught that one. :-)
Most of the time we can do this without calling the customer, but in a couple we have had to as a final check. True, they can lie, but you can tell a lot by listening to someone talk.
And I tend to agree, once the customer understands you are looking out for their interests and not doing a sales call, they are not only cooperative they are extremely grateful you take the time to call them.
Yep, they lasted 3 months on my last credit card. Had to call the issuer just to get a new one with a readable cvv. They said such a request was very common.
Run the delivery address through Google, just to see if its a forwarding firms.
>>>Try searching for the customers's info in seach engines
This is always a good idea for large orders.
I agree call them. Do not volunteer all the information. Be a little vague about what they have ordered. Fraudsters order lots of stuff and ussually they have no idea what they have ordered or who they ordered from.
Another ploy I use is to tell them there may be a delay bofore shipping, fraudsters know the clock is ticking and will immediately start asking for express shipping.
Actually on every card I have seen the CVV does not rub off, its embossed. You simply have to take the extra time to angle the card and see the number.
Here are the steps we take:
Verify with the credit card company that the following are correct:
1 billing address
2 name on card
3 CVV number is correct
Amex will actually call the customer with the phone number they have on file to verify that they actually placed the order. In the past we had a situation where it all matched, however the customer did not make the purchase, but their grandson did with out their permission.
Also be aware that if the card is a "secondary" card on the account that the primary card holder CAN file a chargeback claiming that they did not "authorize" the charge. We were screwed on that one.
We've also had everything match, it shipped to the billing address however the person that placed the order (once they got the tracking #) had the package rerouted with fedex, which cost us an additional 5.00 fee on top of the chargeback fee AND cost of the item.
Verify that they are shipping to the billing address in your system.
Ship ups or fedex with "DIRECT SIGNATURE" required, but this doesn't totally guarantee it. They can deny that it is their signature.
You can have the customer fax you a copy of their drivers license with a signature on the page.
When in doubt, request money order or western union payment.
Sometimes you have to go with your gut feeling because the CC companies are NOT out to protect you. They are out to protect the customer and their own money.
Those that say leave the customer alone have obviously never lost a 2K order to fraud.
CALL - did it for years on large orders and tell them your doing it "for security purposes" to make sure it wasn't an unauthorized charge. Most people were thrilled about the extra level of customer support because you can also inform them WHEN it will ship and WHEN it will arrive!
HOWEVER, make sure the whole order smells right as just calling to check that the phone # is valid isn't enought because it could be a stolen or throw away cell phone.
More thorough validation for larger orders is easily done starting with the following:
1. Use GeoIP to confirm the IP address that placed the order is near where they live
2. Look at the email address too, as many fraudsters use out of country email accounts to avoid that nasty subpoena, so checking the location of the email service provider is another clue.
For instance, I've seen an IP from Singapore with an email account in France ordering something for Los Angeles - my alarms went off right away.
3. Look in Google for the name + city and see if they show up with the same name, address and phone #
4. Call information at (AREA CODE)+555-1212 and ask to confirm the name, address and phone # match because Google could be out of date ;)
Doing both #3 and #4 might sound redundant but it confirms some history as I've seen a stolen VISA DEBIT card work where the thief looked up the customers 6 month old PRIOR address in Google and the AVS system still accepted the charge although the customer hadn't lived in that address for 6 months.
5. If everything looks good, call the customer to confirm the order is valid and give them a shipping date and thank them for ordering.
3-5 minutes doing those simple checks could save you thousands in losses.
Just a suggestion that caution should probably be exercised when replying to this thread. Fraudsters read forums too (especially topics that end up on the front page and well indexed in Google). If everyone lays out the steps that they take to avoid fraud, well...
|If everyone lays out the steps that they take to avoid fraud, well... |
If your fraud detection is pretty bullet proof using a combination of CVV, phone company name/address/phone verification and verbal customer confirmation there's not much more they can they do short of driving down the street looking for packages on doorsteps and stealing them.
The only time you'll get nailed is when you let your guard down.
We would ALWAYS call - heck, just to thank them for the order, and find out how they came to order from us, etc. Never had one client or client's customer who wasn't happy to confirm and chat about the order, their needs, how they found us, the industry, etc etc. Maybe it depends on what you're selling and who you're selling to (most of our stuff is B2B)
I don't understand the benefit of phoning them. I used to do it, but found it difficult to tell over the phone whether or not they are legitimate. It isn't as if the criminals just give themselves up as soon as you call them.
I used to bring up a satellite photo or map of their billing address and then ask them something about a nearby landmark. If they didn't know, for example, the nearest railway station to their house, chances are they don't actually live there. In the end though I decided that was too intrusive for legitimate customers.
Now I just cancel any order which looks suspect (usually a few each day), sending them an email saying that we couldn't verify their card details. Legitimate customers will almost always call and question why we've cancelled the order - at which point we just apologise and reinstate it. Fraudsters very rarely call to do that. They just assume the card they are using has been cancelled.
You may want to call the customer and request a faxed copy of their license or passport. I did this in the past with suspicious or international orders. As much as I hated having to ask for that level of personal info, it beat having to eat fraudulent orders.
Also, be sure to require a signature for your package. This helps with Merchant Service should you have to dispute a chargeback...
There is very little benefit to calling the thief. There is great benefit in calling the actual card holder, as they will be able to verify that they placed the order.
I'll clarify my original point:
Call the card holder.
If you don't have the card holder's phone number-get it. If you can't get it, cancel the order and notify the customer of the cancellation.
Somewhat risky, but we drag our feet in shipping questionable orders. Scammers often email a day or two later to see if the merchandise has been shipped.
Legitimate buyers will understand that huge orders may take longer to ship.
|Fraudsters read forums too |
From what the FBI says, about 95% of even bank robbers spend virtually no time planning their crimes.
Did you see the hilarious video 2 weeks ago of a hapless U.S. bank robber who didn't even notice the armed uniformed guard at his desk just inside the front door? While the robber was pulling his gun on a teller, the guard came up a few feet behind him with his gun drawn!
Two cases come to mind where bank robbers wrote notes on the back of their own utility bills.
I did note that the original question (from Tonearm) came from an old active WebmasterWorld member.
In addition to the many other things people have mentioned, one little check that we've learned over the years is to query the IP address of the buyer for a running webserver. (To do it manually, just paste it into a browser like [ip-address)...]
Often, to fake out the geo-ip checks, fraudsters will use hacked servers in US datacenters to make the orders.
99% of the time, if the IP answers on port 80, it's a fraud order, no matter how good it looks otherwise. That's really a conservative estimate, because I can only recall one legitimate order that failed that test in 6 years of taking multiple daily orders.
Definitely don't be afraid to call if you're concerned. We've done that for years and I've never heard of anyone being upset by it. Usually, it's quite the opposite.
|In addition to the many other things people have mentioned, one little check that we've learned over the years is to query the IP address of the buyer for a running webserver. (To do it manually, just paste it into a browser like [ip-address)...] |
Often, to fake out the geo-ip checks, fraudsters will use hacked servers in US datacenters to make the orders.
That's a great tip and the servers probably aren't even hacked, it's more likely a PHP or CGI-based anonymous proxy server most of the time to obfuscate their identity.
| This 52 message thread spans 2 pages: 52 (  2 ) > > |